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Abstract. We develop cryptographically secure techniques to guarantee uncon- 
ditional privacy for respondents to polls. Our constructions are efficient and prac- 
tical, and are shown not to allow cheating respondents to affect the "tally" by 
more than their own vote — which will be given the exact same weight as that 
of other respondents. We demonstrate solutions to this problem based on both 
traditional cryptographic techniques and quantum cryptography. 
Keywords: classical cryptography, oblivious transfer, polling, privacy, privacy- 
preserving data-mining, quantum cryptography, randomized response technique 

1 Introduction 

In some instances, privacy is a matter of keeping purchase information away from tele- 
marketers, competitors, or other intruders. In other instances, privacy translates to secu- 
rity against traffic analysis, such as for web browsing; or to security of personal location 
information. In still other instances, which we study in this paper, privacy is a precon- 
dition to being able to obtain answers to important questions. Two concrete examples 
of instances of latter are elections and surveys/polls. 

While the first of these examples is the one of the two that has received — by far 
— the most attention in the field of cryptography, there are important reasons to de- 
velop better privacy tools for polling. Surprisingly, the two examples (namely, elections 
and polls), while quite similar at a first sight, are very different in their requirements. 
Since it is typically the case that there is more funding available for providing privacy 
in elections than in surveys and polls, it follows that the tallying process in the former 
may involve more costly steps than that in the latter — whether the process is elec- 
tronic (using, e.g., mix networks) or mechanic. Second, while in the case of the voting 
scheme, we have that users need to entrust their privacy with some set of authorities, 
it is often the case that there is less trust established between the parties in polls. Yet 
another reason to treat the two situations separately is that elections involve many more 
respondents than polls typically do, thereby allowing a unique opinion (e.g., vote) to 
be hidden among many more in the case of elections than in the case of polls. Finally, 
while elections require as exact tallying as is possible, statistical truths are both suf- 
ficient and desirable in polls. This allows the use of polling techniques that are very 
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different from election techniques — in terms of their cost; how tallying is done; and 
how privacy is protected. 

While not given much attention in cryptography, important work on polling has 
been done in statistics. In particular, the randomized response technique (RRT) was 
proposed by Warner [War65] in 1965, with the goal of being used in polls relating to 
sensitive issues, such as drug abuse, sexual preferences and shoplifting. The underlying 
idea behind Warner's proposal is for respondents to randomize each response accord- 
ing to a certain, and known, probabiUty distribution. More precisely, they answer the 
question truthfully with some probability > 1/2, while with a fixed and known 
probability 1 — pct they lie. Thus, users can always claim that their answer — if it is of 
the "incriminating" type — was a he. When evaluating all the answers of the poll, these 
lies become statistically insignificant given a large enough sample (where the size of 
the sample can be simply computed from the probability distribution governing lying.) 

However, a pure RRT by itself is not well suited for all types of polls. E.g., it is 
believed that people are more likely to vote for somebody who leads the polls than 
somebody who is behind. Therefore, it could be politically valuable not to he (as re- 
quired by the protocol) in polls relating to ones political opinion, and therefore have 
one's "vote" assigned a greater weight. (This is the case since people with the opposite 
opinion — if honestly following the protocol — wiU sometimes cast a vote according 
to your opinion, but you would never cast a vote according to their opinion, assuming 
you are willing to cheat.) While the results of the poll remain meaningful if everybody 
cheats (i.e., tells the truth with a probability different from that specified by the proto- 
col), this is not the case when only some people deviate from the desired behavior. Also, 
while one might say that the increased weight in the polls is gained at the price of the 
cheater's privacy, this is not necessarily the case if the cheater claims to have followed 
the protocol, and there is no evidence to the contrary. 

To address the problem of cheating respondents in RRT, we propose the notion 

of cryptographic randomized response technique (CRRT), which is a modification of 
RRT that prevents cheating. We present three efficient protocols for CRRT; two of them 
using classic cryptographic methods (and being efficient for different values of Pct)> and 
one using quantum methods. Importantly, the quantum RRT protocol is implementable 
by using contemporary technology. We give rigorous proofs of security for one of the 
classical protocols and for the quantum protocol. 

For all of our proposed solutions, the privacy of the respondent will be guaranteed 
information- theoretically (more precisely, statistically). This is appropriate to stimulate 
truthful feedback on topics that may affect the respondent for years, if not decades. 
All proposed solutions also guarantee that the respondents reply based on the desired 
probabihty distributions. Clearly, this requires that the respondent cannot determine the 
outcome of the protocol (as viewed by the interviewer) before the end of the protocol. 
Otherwise, he could simply halt the execution of the protocol to suppress answers in 
which the communicated opinion was a he. We will therefore require protocols to offer 
privacy for the interviewer as well as for the respondent, meaning that the respondent 
cannot learn what the outcome of the protocol is, as seen by the interviewer (One could 
relax this requirement shghtly to allow the respondent to learn the outcome at the same 
time as the interviewer does, or afterward.) 
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While we believe that it is important to prevent the respondent from biasing the 
outcome by selective halting (corresponding to the protocol being strongly secure), we 
also describe simpUfied versions of our protocols in which this protection mechanism 
is not available. Such simpUfied versions (which we refer to as weakly secure) can still 
be useful in some situations. They may, for example, be used as the default scheme for 
a given application — where they would be replaced by their strongly secure relatives 
if too many interactions are halted prematurely. (The decision of when the shift would 
be performed should be based on standard statistical methods, and will not be covered 
herein.) The benefit of considering such dual modes is that the weakly secure versions 
typically are computationally less demanding than the strongly secure versions. 

Finally, we also discuss cryptographic enhancements to two alternative RRT tech- 
niques. In the first, referred to as RRT-IQ, the respondent always gives the truthful 
answer to the question he is presented with. However, with a certain probability, he is 
presented with an Innocous Question instead of the intended question. A second alter- 
native RRT technique is what is referred to as polychotomous RRT. In this version of 
RRT, the respondent is given more than two possible options per question. 

In particular, our first protocol uses a novel protocol for information-theoretically 
secure verifiable oblivious transfer that enables easier zero-knowledge proofs on the 
properties of the transferred values. The described protocol may also be useful in 
other appUcations. We also note that our techniques have appUcations in the privacy- 
preserving data-mining, see Section 3. 

Outline. We first review the details of the randomized response technique (Section 2), 
after which we review some related work in cryptography (Section 3). We then intro- 
duce the cryptographic building blocks of our protocols (Section 4). We then describe 
the functionahty of our desired solution in terms of functional black boxes and protocol 
requirements (Section 5). In Section 6, we present our secure CRRT protocols. In Sec- 
tion 7 we describe cryptographic solutions to other variants of the standard RRT. The 
appendix contains additional information about the new obhvious transfer protocol and 
about the quantum RRT protocol. 

2 Short Review of Randomized Response Technique 

When polhng on sensitive issues hke sexual behavior or tax evasion, respondents often 
deny their stigmatizing behavior due to the natural concern about their privacy. In 1965, 
Warner [War651 proposed the Randomized Response Technique (RRT) for organiza- 
tion of polls where an unbiased estimator (UE) to the sutmnatory information — the 
proportion of people belonging to a stigmatizing group A — can be recovered, while 
the privacy of every individual respondent is protected statistically. Since then, different 
variations of the RRT have been proposed in statistics, see [CM88] for a survey. These 
different variations provide, for example, smaller variance, smaller privacy breaches, 
optimality under different definitions of privacy, and ability to answer polychotomous 
questions. Next we will give a short overview of three types of RRT. 

RRT-W. In Wagner's original method (RRT-W), the respondents provide a truthful 
answer to the question "Do you belong to a stigmatizing group AT' with a certain 
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fixed and publicly known probability pct > 1/2. With probability 1 — pct they lie — 
i.e., answer the opposite question. Define tta to be the true proportion of the popula- 
tion that belongs to A (or whose type is t = 1). Let pyes be the proportion of "yes" 
responses in the poll. Clearly, in RRT-W the a priori probability of getting a "yes" 
response is Pyes = Pa ■ t^a + (1 — Pct)(l — t^a)- In the case of N players, L of 
which answer "yes", an UE of pyes is p^ = L/N, the sample proportion of "yes" 
answers. From this, one can simply compute the unbiased estimator of tta- This equals 

— = ^2p^Il"^ = + jf ■ (2p!,-i) - Similarly, the variance var(fi^) and its UE 
can be computed. 

RRT-IQ. An alternative RRT is the innocuous question method (RRT-IQ), first analyzed 
in [GASH69]. When using RRT-IQ, the respondent answers the sensitive question with 
a probability Pct> while with probability 1 — Pct to an unrelated and irmocuous question, 
such as "Flip a coin. Did you get tails?". The RRT-IQ achieves the same goals as RRT- 
W but with less variance [CM88], which makes it more suitable for practical polling. 
Many other RRT-IQs are known, including some with unknown estimate of the the 
proportion of the population belonging to the innocuous group. 

PRRT. The RRTs for dichotomous polling (where the answer is yes or no) can be 
generalized to polychotomous RRT (PRRT) where the respondent can belong to one 
of the m mutually exclusive groups A\, Am, some of which are stigmatizing. A 
typical sensitive question of this kind is "When did you have your first child?", with 
answers "1 — while not married", "2 — within 9 months after the wedding" and "3 

— more than 9 months after the wedding". In many cultures, the answer 1 is stigma- 
tizing, the answer 3 is innocuous, while the answer 2 is somewhere inbetween. The 
interviewer wants to know an UE for the proportion tt^ of people who belong to the 
group Ai, i G [Ijin]. There are many possible PRRTs [CM88, Chapter 3]. One of the 
simplest is the following technique PRRT-BD by Bourke and Dalenius [BD76]: first fix 
the probabilities pct and pi, - ■ ■ ,Pm, such that pct + J2ie[i,m]Pi = 1- A. respondent 
either reveals her true type t G [1, m] with probabiUty pa, or answers i G [1, m] with 
probability p;. To recover an UE of tt := (tti, . . . , iTm)'^, define p := (pi, . . . ,Pm)'^ 
and Pans = (Pansi , • • ■ , Pans„ )^ > where pansi is the proportion of people who answer i. 
Then pans = Pct • tt + p, and hence tt = p^^ ■ (p^ - p). 

3 Related Cryptographic Work. 

In [KANG99], Kikuchi et al. propose techniques with similar goals as ours. Seemingly 
unaware of the previous work on RRT, the authors reinvent this notion, and propose a 
protocol for performing the data exchange. However, their protocol is considerably less 
efficient than ours. Also, it does not offer strong security in our sense. This vulnerability 
to cheating makes their protocol unsuitable for their main application (voting), as well 
as polls where respondents may wish to bias their answer. Our protocols can be used in 
their framework. 

Our work has a relation to work on biased coin flipping, where heads must come out 
with probability pct = ^/nAn our case, the coin can be biased by the first participant in 
several ways, where the choice of the distribution encodes the opinion of the respondent 
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to the poll. More concretely, consider a coin where one outcome (say, 1) corresponds 
to "yes", and the other (0) to "no". Let us assume that the respondent should give his 
correct opinion with 75% probabiUty. Then, if his opinion is "yes", the coin wiU have 
bias 0.75, while it will have bias 0.25 if his opinion is "no". However, our technique 
is not merely a generahzation of biased coin flipping, as we also want our protocols 
to implement privacy. This is an issue that is not important in the context of ordinary 
biased coin flipping. 

In order to guarantee that responses are made according to the intended distribution, 
we introduce a "blinding" requirement: we need our protocols to be constructed such 
that they do not leak the response to the respondent — at least not until the response 
has been delivered to the interviewer. From a bird's eye's view, this makes our proto- 
cols similar to those in [JY96], in which a party proves either language membership or 
language non-membership to a verifier, but without being able to determine which one. 
However, the similarities between our protocols and those in [JY96] do not run much 
deeper than that. 

In contrast, there is a much closer relationship between our protocols and proto- 
cols for obUvious transfer [Rab81,EGL85]. While our goals are orthogonal to those of 
oblivious transfer, the techniques are hauntingly similar. In particular, one of our CRRT 
protocols uses a protocol for obhvious transfer as a building block. While in principle 
any such protocol can be used, it is clear that the properties of the building block will be 
inherited by the main protocol. Therefore, in order to provide unconditional guarantees 
of privacy for the respondents, we use a verifiable variant of the information theoretic 
protocol for obUvious transfer, namely that proposed by Naor and Pinkas [NPOlb]. (An 
efficient protocol that offers computational security for the sender was proposed by 
Tzeng [Tze02].) 

Cryptographic randomized response techniques are also related to oblivious func- 
tion evaluation [GoI02|, where one party has data [i, while another party needs to com- 
pute /(/u), without getting to know any additional information on /x, while the first party 
wiU not get to know /. Cryptographic RRTs can be seen as protocols for oblivious func- 
tion evaluation of some specific randomized functions /. 

Furthermore, our work is related to the work on Private Information Retrieval (PIR) 
— and even to privacy-preserving data-mining — in that the goal of our interviewer 
is to retrieve some element from the respondent, without the latter learning what was 
retrieved. More specifically, if some (. out of n elements represent the respondent's 
opinion, and the remaining n — t elements represent the opposite opinion, then the 
interviewer will learn the respondent's opinion with probability £/n if he retrieves a 
random element. Of course, in order to guarantee the interviewer that the elements are 
correctly formed, additional mechanisms are required. 

In privacy-preserving data-mining a related data randomization approach has been 
proposed [ASOO]: namely, the users input their data to the central database (e.g., a loyal 
customer inputs the name of the product he bought), and the database maintainer needs 
to do some statistical analysis on the database. However, the maintainer should not be 
able to recover individual items. Database randomization in the case when the main- 
tainer is limited to the SUM function corresponds exactly to the RRT. For the same 
reasons as in the RRT, one should not be able to bias the data. Our protocols are also 
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applicable in the privacy-preserving data-mining and hopefully even in the case when 
more elaborated randomizations [ESAG02] are apphed. 

4 Cryptographic Building Blocks 

Assume that p is a large prime, and q,q \ (p — 1), is another prime. Then Zp has a unique 
subgroup G of order q. Let g and h be two generators of G, such that nobody knows 
their mutual discrete logarithms logg h and log/j g. We let k be the security parameter, 
in our setting we can take k = q. The key K consists of public parameters, K := {g; h). 

Pedersen's Commitment Scheme. In this scheme [Ped91], a message /x e is com- 
mitted by drawing a random p <— Z^, and setting Qk{iJ'', p) '■= g^h^. The commit- 
ment can be opened by sending fi and p to the verifier. This scheme is homomorphic, 
i.e., Ck{p; p)Ck{p'', p') = Ck{p + p';p + p'). Since it is also perfectly hiding and 
computationally binding, it can be used as a building block in efficient zero-knowledge 
arguments, such as protocols for arguing the knowledge of plaintext p. 

Variant of Naor-Pinkas 1-out-of-n Oblivious Transfer. The obUvious transfer (OT) 
protocol by Naor and Pinkas [NPOlb] guarantees information-theoretic privacy for the 
sender TZ, and computational privacy for the chooser 1. Assume the sender TZ has a 
vector p = {pi, . . . ,pn) G for some set M C Z,. The chooser X has made a 
choice a G [l,n]. The Naor-Pinkas protocol works as follows: 

1. I generates random a, 6 ^ Z, and sends {A, B, C) <- (g", g^ 5°''"'^+^) to H. 

2. TZ performs the following, for i S [1, n]: Generate random (r^, si). Compute Wi ^ 
g^ij^si^ compute an encryption j/j of pi using Vi <— B^^{C ■ g^^^Y^ as the key. 
Send {Wi,yi} to I. 

3. T computes w^(= v^) and decrypts ya using as the key, obtaining pcr. 

(Both TZ and T halt if any received transcript is not correctly formatted.) Note that 
Wi = while Vi = B'-'iC ■ g'-^Y' = wl ■ g(^-'')'\ Thus, v„ = w^, while 

for i ^ (J, Vi is a random element of G. Thus, in the third step TZ recovers v^r, while 
obtaining no information about for i 7^ a. 

The Naor and Pinkas [NPOlb] paper does not specify the encryption method, men- 
tioning only that the encryption scheme must be semantically secure. We propose to 
use Pedersen's commitment scheme instead of an encryption scheme. Herein, we use 
K = {g; h) as the parameters of the commitment scheme, and use Vi instead of rj as 
the random coin, producing a commitment j/j := CxiPi', Vi). We denote this version 
of Naor-Pinkas protocol, where is defined as yi = CK{^'i,Vi), by (^)-OTi<-(/i; cr). 
(The full protocol is presented in Appendix A.) 

The idea behind this unconventional trick is that as the result, the sender can argue 
in zero-knowledge for all i £ [1, t^] that the values pi satisfy some required conditions. 
(We call such an OT protocol verifiable.) The chooser cannot decrypt yi without know- 
ing Vi, and thus he cannot guess the value of pi fori^a (with probabiUty higher than 
|Mp/(7, as we will show in Appendix A), even if he knows that pi is chosen from a 
fixed two-element set. (This constitutes the security of OT protocol in the left-or-right 
sense. See Appendix A.) On the other hand, I can "decrypt" y^ with the "key" v„. 
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given that the possible message space M is small enough for the exhaustive search on 
the set {g^ : x e M} to be practical. In the case of dichotomous RRT, M = {0, 1}. 

Noninteractive Zero-Knowledge Arguments. We will use zero-knowledge arguments 
(and not proofs) of knowledge in our protocol, since they are (at the very least) statis- 
tically hiding and computationally convincing. This property is important in a setting 
where a verifier must not be able to extract additional information even if he is given 
infinite time. 

Our first protocol uses only two very standard statistical zero-knowledge arguments. 
(The arguments for the second protocol are described in appendices.) The first one is 
an argument that a given value yi (Pedersen-)commits to a Boolean value /Xi G {0,1}. 
One can use standard disjunctive proofs [CDS94] for this. We denote the (possibly 
parallehzed) argument that this holds for i e [l,n] by AKEncBool(2/i, . . . , j/„). The 
second argument of knowledge, AKLin(i/i, . . . , t/„+i; a, b), is an argument that the 
prover knows some set of values /Xj, for which pi is a conmiitment of fii, and such 
that X^j<„ Mi + ^Mri+i = b. This argument of knowledge can be constructed from Ped- 
ersen's commitment scheme by computing y <— ni<n Vi ' Vn+i then arguing that 
the result j/ is a conmiitment to b. Note that such an argument of knowledge is secure 
only when accompanied by zero-knowledge arguments of knowledge of the values fii, 
for this purpose, we employ AKEncBool(yi, . . . , y„+i) as described above. 

5 Security Definitions 

In this section, we will give the definition of a weakly and strongly secure crypto- 
graphic RRT (CRRT). The security definitions will be in accordance with the ones in 
secure two-party computation [Gol02]. We will also explain why these requirements 
are relevant in the case of CRRT. 

Assume we have a concrete variant of RRT, like RRT-W or RRT-IQ. Let $p be the 
function that implements the desired functionality. For example, in the case of RRT-W, 
^Pa (^) is ^ randomized function that with probabihty Pct returns x, and with prob- 
abihty 1 — Pct returns 1 — x. The ideal-world CRRT protocol, has three parties, the 
interviewer I, the respondent TZ, and the trusted third party T. IZ has her type, t-jz as 
her private input, while I has no private input. Then, IZ communicates tn to T, who 
selects the value rn <— ^pa{tn) and sends rn to J. After that, the private output of 
T will be ^p^, (t^), while TZ will have no private output. It is required that at the end 
of the protocol, the participants will have no information about the private inputs and 
outputs of their partners, except for what can be deduced from their own private inputs 
and outputs. In particular, I (resp. TZ) has no information about the value of tu (resp. 
r-n), except what they can deduce from their private inputs and outputs. 

In an ideal world, exactly the next three types of attacks are possible [Gol02, Sec- 
tion 2.1.2]: a party can (a) refuse to participate in the protocol; (b) substitute his private 
input to the trusted third party with a different value; or (c) abort the protocol prema- 
turely. In our case, the attack (c) is irrelevant, since TZ has no output. (Attack (c) models 
the case when the first party halts the protocol after receiving his private output but 
before the second party has enough information to compute her output.) Therefore, in 
an ideal-world RRT protocol, we cannot protect against a participant, who (a) refuses 
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to participate in polling (non-participation attack) or (b) claims that her type is 1 — ^7^, 
where tn is her real type (absolute denial attack). No other attacks should be possible. 
Note that neither (a) nor (b) is traditionally considered an attack in the context of polling 
or voting. The argument here is game-theoretic, and the solutions must be proposed by 
mechanism design, instead of cryptography: namely, a non-manipulable mechanism 
(e.g., the algorithm with which the election winner is determined from all the collected 
votes) must be designed so that answering against one's true type (or non-participation) 
would not give more beneficial results to the respondent than the truthful answer. 

On the other hand, as we stated, no other attacks should be allowed. This require- 
ment is very strict, so we will explain why it is necessary in the RRT's context. Clearly, 
one must protect the privacy of TZ, since this is the primarily goal of a RRT. It is also 
necessary to protect the privacy of I, although the reason here is more subtle. Namely, 
if TZ obtains any additional information about r-jz before the end of the protocol (for 
example, if she suspects that 7^ tn), she might halt the protocol. Such a behavior by 
a malicious respondent might cause a bias in the poll, as already explained. (Halting the 
protocol while having no information on r-jz is equivalent to the non-participation at- 
tack.) The third requirement on the protocol, of course, is that X either halts or receives 
^Pa i^)' where x is the input submitted by the TZ. 

In a real-world implementation, we want to replace T by a cryptographic protocol 
n = {TZ,T) between TZ and T. This protocol {TZ,T) is assumed to be "indistinguish- 
able" from the ideal-world protocol, that is, with a high probabiUty, it should be secure 
against all attacks that do not involve attacks (a) or (b). "Secure" means that the privacy 
of TZ (resp. T) must be protected, if TZ (resp. T) follows the protocol, and that I either 
halts, or receives the value <?p^ (x), where x was the submitted value of TZ. The security 
of the respondent should be information-theoretical, while the security of interviewer 
can be computational. That is, a secure CRRT-W protocol must have the next three 
properties (here, k is the security parameter): 

Privacy of Respondent: Let 1* be an algorithm. After the end of the protocol execution 
{TZ,I*), T* will have no more information on tqz than it would have had after the 
execution of the ideal world protocol. That is, assuming that viewx* is his view of the 
protocol {TZ,1*), define 

AdvP^'-^(7^,r) := |Pr[I*(viewi.,r7^) = tn] - Pr[tn\rn]\ , 

where the probabiUty is taken over the internal coin tosses of T* and TZ. We say that a 
CRRT protocol is privacy-preserving for the respondent, if Ads/'^'^^ {TZ, X* ) is negligi- 
ble (in k) for any unbounded adversary I* . 

Privacy of Interviewer: Let TZ* be an algorithm. Assume that T halts when TZ* halts. 
After the end of the protocol execution {TZ* ,1), TZ* will have no more information 
on t-ji than it would have had after the execution of the ideal world protocol. That is, 
assunning that view-yj. is her view of the protocol (X, TZ*), define 

Ad^/l"-''{^Z*,I) := \Fv[TZ* {s,\ewn',tn) = rn] - P^TZ* {tn) = rn]\ , 

where the probability is taken over the internal coin tosses of TZ* and X. We say that 
a CRRT protocol is privacy-preserving for the interviewer, if for any adversary TZ* , if 
Adv^"~'(7?.*,X) < e and TZ* takes r steps of computation then er is negligible (in k). 
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Correctness: Let TZ*{x) be an algorithm with private input x to the protocol {TZ*,I). 
Assume that T halts when TZ* halts. We require that at the end of the protocol execution 
{TZ*,I), X wiU either halt, or otherwise receive ^p^X^) with high probability. That is, 
assuming that viewx is J's view of the protocol (7^* , X), define 

Adv^.'■"'(7^^ J) := 1 - Pr[I(viewx) = ^>p,, (x) |X does not halt] , 

where the probability is taken over the internal coin tosses of J and TL* . We say that a 
CRRT protocol is correct, if for any adversary VJ* , if Ad vj*^' (7^* ) = s and TZ* takes up 
to t steps of computation then er is negligible (in k). 

We call a cryptographic RRT (CRRT) protocol weakly secure if it is privacy- 
preserving for the respondent and correct. We call CRRT protocol (strongly) secure 
if it is weakly secure and it is privacy-preserving for the interviewer. While a secure 
CRRT protocol is preferable in many situations, there are settings where a weakly se- 
cure CRRT protocol suffices, such as where halting can be easily detected and punished, 
or means for state recovery prevent modifications between a first and second attempt of 
executing the protocol. 

6 Cryptographic RRT 

We will propose three different CRRT-W protocols. In the first two protocols, the com- 
mon parameters are pct = £/n > 1/2; generators g and h whose mutual discrete logs 
are unknown (at least by TZ); and K = [g; h). TZ has private input t = tn, and X's 
private output is r^. 

CRRT Protocol Based on Oblivious Transfer. Our first implementation of RRT-W 
is described in Protocol 1. The arguments of knowledge can be efficiently constructed, 
see Sect. 4. Here, we can use AKLin(j/i, . . . , 2£ — n; t) since X]i<n + (2^ — 
n)nn+i = ^ independently of the value of t. All the steps in this protocol must be 
authenticated. 



Precomputation step: 

1. TZ prepares n random bits £ {0, 1} for i € [1, n], such that /Xi = tif t = 1 and 
^ /ij = n — £ if i = 0. Additionally, she sets <— 1 — t. 

2. X chooses an index cr e [1, n]. 

Interactive STEP: 

1 . I and TZ follow (^) -OTk {g^^ , ■ ■ ■ , fl''" ; o") . I obtains g'^" , and computes /Xa from that. 

2. TZ sends to I noninteractive zero-knowledge arguments AKEncBool(j/i, . . . ,t/„+i), and 
AKLin(j/i,...,j/„+i;2£-n; £). 

3. T verifies the arguments, and halts if the verification fails. 

Protocol 1: A secure CRRT-W protocol based on oblivious transfer 

If we take the number of bits that must be committed as the efficiency measure 
(communication complexity of the protocol), then our protocol has complexity 0{n). 
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In the polling application, one can most probably assume that n < 5. The security 
proofs of this protocol follow directly from the properties of underlying primitives. As 
a direct corollary from Theorem 2, we get that Protocol 1 is privacy-preserving for re- 
spondent (Ady''^'^' (TZ,J*) < 2/q + 0{l/q), where the constant comes in from the 
use of statistically-hiding zero-knowledge arguments). It is privacy preserving for in- 
terviewer, given the Decisional Diffie-Hellman (DDH) assumption. The correctness of 
this protocol follows from the properties of the zero-knowledge arguments used under 
the DDH assumption. 

In a simphfied weakly secure protocol based on the same idea, TZ commits 
to all jii by computing and publishing j/j <— QxilJ'i, Pi)- Next, TZ argues that 
AKEncBool(yi, . . . , 2/n+i), and AKLin(yi, . . . , y„+i; 2£ — n;€}. After that, I sends 
fT to TZ, who then reveals ji^ and p^. Upon obtaining these, I verifies the correctness of 
the previous corresponding commitment, outputting fi^. 

CRRT from Coin-Flipping. Protocol 2 depicts a secure CRRT-W protocol with com- 
munication complexity 0{d logj n), where d := [1/(1 — Pct)l . and Pct = ^/n as previ- 
ously. While in the common RRT application one can usually assume that n is relatively 
small, this second protocol is useful in some specific game-theoretic applications where 
for the best outcome, Pct must have a very specific value. The idea behind this protocol 
is that at least one of the integers p + v + it mod n must be in interval [0, ^ — 1], and at 
least one of them must be in interval [£, n—1]. Hence, I gets necessary proofs for both 
the and the 1 answer, which is sufficient for his goal. For his choice to be accepted, 
he must accompany the corresponding r with TZ-s signature on his commitment on <j. 



Precomputation step: 

1. TZ chooses a random n <— ij [0, n — 1]. 

2. I chooses random v <— ij [0, n—1] and a <—r [0, d — 1]. 
Interactive step: 

1. TZ commits to t and fi, and sends the commitments to I. 

2. I commits to a, by setting y ^ Ck(o--, p) for some random p. He sends i> and y to TZ, 
together with a zero-knowledge argument that j/ is a commitment of some i £ [0, d — 1]. 

3. TZ verifies the argument. She computes values p'^, for i G [0, d — 1], such that p'i = t 

(p + + i£ mod n) < I. She signs y, and sends her signature together with {p'i} and 
the next zero-loiowledge argument for every i G [0, d — 1]: [/u.^ = t <^=^ (n + v + i£ 
mod n) < i]. 

4. After that, X sets r-n -f— fj,'„. He will accompany this with TZ-s signature on the commitment, 
so that both TZ and third parties can verify it. 



Protocol 2: A secure CRRT-W protocol based on coin-flipping 

A weakly secure version of this protocol is especially efficient. There, one should 
set d <— 1, and omit the steps in Protocol 2 that depend on a being greater than 1. 
(E.g., there is no need to commit to a anymore.) Thus, such a protocol would have 
communication complexity 6'(log2 n). Now, pct > 1/2 (otherwise one could just do a 
bit- flip on the answers), and hence d > 2. On the other hand, the privacy of respondents 
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Precomputation step: 

1. T chooses random uo [0, 1], u\ [0, 1]. He generates quantum states \tpo) = 

^/pa\uo} + i/l -Pct|l - Mo), l^i) = v^l^i) + VI -Pct|l - Ml). 

2. TZ chooses a random i ^—r [0, 1]. 

Interactive step: 

1. X sends Itpo) and l^^i) to??.. 

2. TZ sends i to I. 

3. T sends Ui to 7?,. 

4. TZ measures the state [ipi) in the basis {tpm) = ^/palui) + vT^-Pct|l — Ui), IV^uJ = 
\/l ~ Pct|Mi) — v^rt|l — Mi) and halts if the result is not \ipui)- 

5. If the verification is passed, TZ performs the transformation |0) — » \t), |1) — » |1 — t) on the 
state \ipi-i) and sends it back to 2. 

6. T measures the state in the basis |0), |1), gets outcome s. T outputs r <— m, ® s. 



Protocol 3: A quantum CRRT-W protocol. 



is in danger if say Pet > 3/4. Thus, we may assume that d e [3, 4]. Therefore, Protocol 2 
will be more communication-efficient than Protocol 1 as soon as n/ logj n > 4 > or 
n > 16. The weakly secure version will be always more communication-efficient. 

This protocol is especially efficient if the used commitment scheme is an integer 
commitment scheme [FO99,DF021. In this case, to argue that (/i + + i£ mod n) < i 
one only must do the next two simple steps: first, argue that iJ. + v + i£ = 2 4- en for 
some z, e, and then, argue that z G [0, ^ — 1]. This can be done efficiently by using the 
range proofs from [BouOO,Lip01]. One can also use Pedersen's scheme, but this would 
result in more complicated arguments. 

Quantum-Cryptographic RRT. We also present a quantum CRRT protocol (see Pro- 
tocol 3) that allows for a value that does not have to be a rational number, and which 

provides a relaxed form of information-theoretic security to both parties. While not 
secure by our previous definitions, it provides meaningfully low bounds on the proba- 
bilities of success for a cheater. Namely, (a) if dishonest, TZ cannot make his vote count 
as more than \/2 votes: if Pct = | + £, then padv \ + (we also show a slightly 
better bound with a more complicated expression for padv, cf. Appendix B). (b) if dis- 
honest strategy allows J to learn t with probability pa + £, it also leads to J being 
caught cheating with probability at least ^BiiLLg x^is form of security (information- 
theoretic security with relaxed definitions) is common for quantum protocols for tasks 
like bit commitment [ATVYOO] or coin flipping [Amb01,SR02]. The security guaran- 
tees of our quantum protocol compare quite well to ones achieved for those tasks. A 
desirable property of this quantom protocol is that it can be implemented by using con- 
temporary technology, since it only involves transmitting and measuring single qubits, 
and no maintaining of coherent multi-qubit states. 

To show the main ideas behind quantum protocol, we now show how to analyze a 
simplified version of protocol 3. The security proof for the fuU protocol is quite compli- 
cates and is given in appendix B . We also refer to appendix B for definitions of quantum 
states and operations on them. 

The simplified version of Protocol 3 is: 



12 



Andris Ambainis, Markus Jakobsson, and Helger Lipmaa 



1. X chooses a random u <— [0, 1], prepares a quantum bit in the state = 
^/Prtl^) + VI ^ Pct|l — u) and sends it to 7?.. 

2. TZ performs a bit flip if her type t=\, and sends the quantum bit back to T. 

3. X measures the state in the computational basis |0), 1 1), gets answer s. The answer 
is r = M ® s. 

If both parties are honest, the state returned by respondent is unchanged: ^JVzxVt) + 



yj\ — Pet 1 1 — u) if t = and y^p^ll — m) + ^1 ~ Pctl^^) if i = 1. Measuring this 
state gives the correct answer with probabiUty 1 — Pct- Next, we show that respondent 
is unable to misuse this protocol. 

Theorem 1. For any respondent' s strategy TZ*, the probability of honest interviewer I 
getting r = lis between 1 — pct andpa- Therefore, the previous protocol is both correct 
and privacy-preserving for the interviewer. 

Proof. We show that the probability of r = 1 is at most p^t- The other direction is 
similar. We first modify the (simplified) protocol by making TZ* to measure the state 
and send the measured result to J, this does not change the result of the honest protocol 
since the measurement remains the same. Also, any cheating strategy for TZ* in the 
original protocol can be used in the new protocol as well. So, it is sufficient to bound 
the probabiUty of r = 1 in the new protocol. 

Now, the answer is r = 1 if Z sent and TZ* sends back j, with i = j. Thus, we 
have the setting of Fact 1 (see Appendix B.l). The rest is a calculation: to determine 
the angle /? between \t{jQ) and IV"!). it suffices to determine the inner product which is 



sin/3 = 2^/pct{l - Pa)- Therefore, cos/3 = y/l - sin^ /3 = 2pct - 1 and 1 + ^ = 



On the other hand, when using this simphfied version, a dishonest interviewer J* 
can always learn t with probability 1. Namely, it suffices to send the state |0). If t = 0, 
TZ sends [0) back unchanged. If t = 1, TZ applies a bit flip. The state becomes X 
can then distinguish 1 0) from 1 1) with certainty by a measurement in the computational 
basis. 

Note that this is similar to a classical "protocol", where T first generates a random u 
and sends a bit i that is equal to u with probabiUty Pd and 1 — u with probability 1 — Pct- 
TZ then flips the bit if t = 1 and sends it back unchanged if t = 0. The interviewer 
XORs it with u, getting t with probability pct and 1 — t with probability 1 — pct- In 
this "protocol", TZ can never cheat. However, 1* can learn t with probability 1 by just 
remembering i and XORing the answer with i instead of u. In the classical world, this 
flaw is fatal because X cannot prove that he has generated i from the correct probability 
distribution and has not kept a copy of i for himself. In the quantum case, X can prove 
to TZ that he has correctly prepared the quantum state. Then, we get Protocol 3 with I 
sending two states IV'uq) and |V^ui), one of which is verified and the other is used for 
transmitting t. (See Appendix B for detailed analysis of this protocol.) 

7 Protocols for Other RRTs and Extensions 



Pct- 



□ 



Protocol for Cryptographic RRT-IQ. Recall that in one version of RRT-IQ, the re- 
spondent would reply with his true opinion tn with a rational probability pct = i/n, 
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while he would otherwise flip a coin and answer whether it came up tails. Like for 
CRRT-W, it is important to guarantee the use of correct distributions. Protocol 1 can 
be easily changed to work for this version of RRT-IQ. Instead of n random bits, TZ 
prepares 2n random bits /Xj, so that X] = n -\- iiftT^ = 1, and A*i = n — iif 
t-ji = 0. She also prepares a checksum bit fi2n+i = 1 — t-jz. The rest of the proto- 
col is principally the same as in Protocol 1, with n changed to 2n, and TZ arguing that 
AKLin(2/i,...,y2n+i;2^; 2n-£). 

Protocol for Cryptographic PRRT-BD. The next protocol is a modification of Pro- 
tocol 1 as well. Let pi be such that Pd + m]Pi — 1' assume that every 
respondent has a type t-jz G [1, to]. Assume = £/n, pi = £i/n and that p,; = if 
i ^ [1, to]. Assume D > max{£, £i, . . . , im) + 1. The respondent prepares n numbers 
such that tl{i : Hi = tn} = (-t-R. + ^. and ^{i : = j} = Ij, if j ^ t-ji. Then the 
interviewer and respondent will execute a variant of OT with choice <t, during which 
the interviewer only gets to know the value /i^. Then the respondent argues that the sum 
of all commitments is a commitment to the value X £iD^^ + for some j e [1, to], 
by using range-proofs in exponents [LAN02]. (A more efficient proof methodology 
is available when £> is a prime [LAN02], given that one uses an integer commitment 
scheme.) Additionally, she argues that every single commitment corresponds to a value 
for i e [1, to], also using range-proofs of exponents [LAN02]. After the OT step, the 
interviewer gets g^^' , and recovers ji^ from it efficiently. (Note that to < 10 is typical 
in the context of polUng.) 

Extensions to Hierarcliies of Interviewers. One can consider a hierarchy of interview- 
ers, reporting to some central authority. If there is a trust relationship between these two 
types of parties, no changes to our protocol would be required. However, if the cen- 
tral authority would like to be able to avoid having to trust interviewers, the following 
modifications could be performed. First, each respondent would have to authenticate 
the transcript he generates, whether with a standard signature scheme, a group signa- 
ture scheme, etc. Second, and in order to prevent collusions between interviewers and 
respondents, the interviewers must not be allowed to know the choice cr made in a 
particular interview. Thus, the triple {A^ B, C) normally generated by the interviewer 
during the Naor-Pinkas OT protocol would instead have to be generated by the central 
authority, and kept secret by the same. More efficient versions of proxy OT satisfying 
our other requirements are beneficial for this application [NPOla]. 
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A Security of Modified Oblivious Transfer Protocol 

From our oblivious transfer protocol (^)-OTif (/z; cr) we will require that it must be 
secure in the next sense. The attack scenario consists of the following game. The 
chooser X* chooses a and two different vectors, = • • • 

and /Li[2] = (At[l]i, • • • lA'lljn) G such that /u[l]cr = A*[2]<7- Denote an I* that has 
made such choices by I* (/x[l] , /u[2] ). He submits both tuples to the responder, who flips 
a fair coin b [1,2]. After that, the chooser and the responder execute the protocol 
(^) -OTx ; cr). After receiving ij[b]a, 1* guesses the value of b. Let Adv^'^(Z*,7?.) 
be the probability that I* guesses the correct b, where probability is taken over the in- 
ternal coin tosses of T* and 7?.. We say that the oblivious transfer protocol is e-secure 
in the left-or-right sense, if for any unbounded algorithm I*, Adv^'^(Z* ,TZ) < e. 
Recall that the proposed variant of the Naor-Pinkas protocol works as foUows: 

L J generates random a,b^Zg and sends {A, B, C) <- {g", g^ g<^'>-a+i^ ^^ 

2. TZ performs the following, for i S [1 , n] : Generate random {ri,Si). Compute Wi <— 
grij^si^ compute an encryption yi ■*— g^^h'"\ where Vi ■*— B^^{C ■ g^~^y\ Send 
{wi,yi) to J. 

3. X computes w^{= Va) and recovers g^' ■*— ya/K^'. 
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Theorem!. Let {^-OJ k{-',-) be the described oblivious transfer protocol, (a) If a 
malicious TZ* can guess the value of a with advantage e, then he can solve the Deci- 
sional Diffie Hellman (DDH) problem with the same probability and in approximately 
the same time, (v) This protocol is (m — d){m — \)/q < m{m — l)/q-secure in the 
left-or-right sense, where d := q mod m and m := \M\. 

Proof (Sketch.), (a) Assume that TZ* can guess a with probability e, given her view 
(A, B, C) = But then she can solve the DDH problem (given 

{9°' T 9'' ^ g'^) for random a and b, decide whether c = a6 or not) with probabiUty e: 
given an input (g", g^, g"), she just computes such a a, for which c = ab — a + 1. After 
that, she only has to check whether = 1 or not. 

(b) W.l.o.g., assume that a = 1. Define vU] to be a vector, for which which j = 
IJ,[l\i if i > j, and = ij,[2]i if i < j. Thus = (since = m[2]i), 
while = /i[2], and for all j, v\i — 1] and v\f\ differ only in the jth element v[j]j ^ 
v\j + Thus, our goal is to show that I* i^[n]) < m{ni— l)/q. For this we will 
prove that J*(i/[j — l],z/[j]) < (m — d)/q < m/gforevery j e [2,n] and then use the 
triangle equality to establish that AdVfc°''(J*(/x[l], /i[2]), U) < Ei=2" AdVfe°''(J*(i/[j - 

Now, fix a j e [2, n]. After the protocol execution {T*,TZ), TZ flipping the coin 
b [1, 2], T* must guess the value of b, based on his private input /i[2]), his 
private output n[b]i, and the protocol view. Since vU — l]i = for i ^ j, this is 
equivalent to guessing whether — 2+6] j = u[j — l]jOru[j — 2-\-h\j = z/[_7];,. Clearly, 
his success is maximized here when ulj — l]j 7^ Next, X*'s view consists of 

{A,B,C;{{wj,yj)}), where {wj,yj) ^ {g'■^A'^,g^'^h'^^'■^'^■a'~'y')foIA,BaRdC 
chosen by himself. Since J* is unbounded, he can find the value of a ^ 0, and therefore 
he knows that (wj ,yj) = [g^i+°'^3 ^ gH+"B''' (c ). Since rj and Sj are randomly 

chosen by a honest TZ, then the elements Wj look completely random to I*, and do not 
help in guessing the value of jij. He also cannot use any information in {wj ,yj),j ^ j, 
since these values do not depend on . 

Thus, to guess the value — 2 + b]j, he must find a bias in the value 
aB''^{Cg^~^y^ = ac,'"-i+(»''+J-'^)«^ mod q. Note that x := ag'"'i+^''''+^-''>:i is a 
random element of Z* due to the choice of Vj and Sj, unless b = ab + j — a = 0. 
The latter will automatically hold if i = a, but only with a negligible probabihty oth- 
erwise. Thus, we can assume that x is chosen randomly from Z*. Guessing /ij G Z^ 
from yj is equivalent to guessing the value {x mod q) mod m. Denote e := [q/m\ . 
Since q \ {p — 1) then x mod g is a random element of Zg, and 'i{x : x mod q 
mod m = j} G e + c, where c e {0, 1} is 1 iff j < d. Thus the best strat- 
egy of T* is to guess that x is equivalent to some element j < d, and equivalently, 
that vU — 2 + b]j mod m > d. He will achieve this by choosing exactly one of 
the two element — 1];, and vU — to have residue modulo m that is less than 
d. Then he will succeed with probability e/q + 1/q which gives him an advantage 
e/q+ 1/q — 1/m = (m — d)/q < m/g over random guessing the bit b. □ 

Security in the left-or-right sense is both necessary and sufficient for our purposes. 
Namely, in the RRT-W protocol (Sect. 6), the interviewer 1* knows that the input is — 
up to the permutation of indices — one of the two values. For small n, the number of 
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permutations is small, and thus with a high probabiUty I* can guess that fjt is one of 
the two, known for him. Boolean vectors. Without security in the left-or-right sense, he 
would be able to guess which of the two vectors is currently used, and thus to find the 
type of the respondent. On the other hand, if the oblivious transfer protocol is secure in 
the left-or-right sense, I* cannot predict the Hamming weight Whin) = S{« : i^i = 1} 
of TZ's input. 

B Detailed Quantum CRRT 

B.l Background on Quantum Information 

In this section, we describe the basic notions of quantum information needed to under- 
stand the quantum protocol and the analysis of its simplified version in section 6. 

For a more detailed introduction to quantum information, we refer to book by 
Nielsen and Chuang [NCOO|. A qubit is the basic unit of quantum information, sim- 
ilar to a bit in the conventional (classical) computing. A qubit has two basis states that 
are denoted by |0) and A general state of a qubit is a|0) -|- /3|1), with a, (3 being 
complex numbers with |ap + |/3|^ = l. 

We can perform two types of operations on quantum bits: unitary transformations 
and measurements. The simplest measurement of of a qubit a|0) + is in the com- 
putational basis that gives the result with probability \a\^ and 1 with probability 
The state of the qubit then becomes |0) or Therefore, repeating the measurement 
gives the same outcome. As long as we only consider this one type of measurement, 
the state a|0) + f3\l) behaves similarly to a probabilistic state that has been prepared 
as with probability |ap and 1 with probability |/3p. This analogy disappears, though, 
when we consider other transformations. A unitary transformation is a linear transfor- 
mation on the two-dimensional space of all a|0) -I- /3| 1) that preserves the vector norm. 
Two examples of unitary transformations are the identity /(ajO) -|- = a|0) -|-/3|1) 
and the bit flip X(a|0) + /3|1)) = a|l) -I- /3|0). A general von Neumann measurement 
on a qubit \^) is specified by two orthogonal vectors |^o) and The outcome is 
either or 1; the probability of outcome i is equal to the squared inner product of ^1/) 
and The state of the qubit becomes This measurement can be reduced to the 
measurement in the computational basis as follows. We take a unitary U that maps |<?o) 
to |0) and to We apply U to the state that we want to measure. Then, we 
measure the resulting stale in the computational basis and apply U^^. 

Distinguishability. Assume someone prepares two states |<?o) and flips a fair coin 
i [0, 1]. and sends it to us. We would like to guess i by measuring the state. 
We measure our success by the probability that our guess j E {0, 1} coincides with i. 
If |<?o) and \<Pi) are orthogonal, a von Neumann measurement in |<?o)> l^^i) basis tells 
i with certainty. For non-orthogonal states, no measurement gives i with certainty. 

Fact 1 [NCOO] The maximum success probability with what we can distinguish |<?o) 
from is ^ -|- /3 being the angle between |<?o) and 

The above definitions are sufficient to understand the protocol and the analysis of 
simplified version in section 6. For the full security proof, more advanced notions like 
density matrices are needed, which are described in Sect. B.2. 
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B.2 Density Matrices 

To prove the security of protocol 3, we need the more advanced formalism of density 
matrices. We interpret \tp) = a\0) + /3|1) as a column vector {a, (3)'^. Let {ipl denote 
a row vector (a*/3*), with * being the complex conjugation operator. Then, the density 
matrix of l'^) is 



Next, assume that we generate a classical random variable that is i with probability 
Pi and then prepare a quantum state \t/ji) dependent on i. This creates a mixed quantum 
state. It can be also described by a density matrix p = X^jPi|V'i)(V'i|- If we measure 
a mixed state with a density matrix p in a basis |<?o)> the probability of getting 
outcome i is {<Pi\p\<Pi) (i.e., we multiply the density matrix with the row vector 
on the left and the column vector |<?i) on the right and get a number which is the 
probabihty). The following is a counterpart of Fact 1 for mixed states. 

Fact! [NCOO] The maximum success probability with which we can distinguish pq 
from pi is \ + M!1z£i1l^ where \\A\\^ is the trace norm of A (the trace (sum of diagonal 
entries) of matrix V A'^A). 

B.3 Security Proofs for Protocol 3 
Security against Malicious Interviewer. 

Theorem 3. If a strategy for dishonest I* leads to being caught with probability at 

most e, X* can learn r correctly with probability at most pct + ^- 1 ^- 

The security of this type (cheating is possible but not without risk of being de- 
tected) is common to many quantum protocols, for example quantum bit commitment 
[ATVYOO] or coin flipping [SR02]. We note that our security guarantee is stronger than 
one achieved in [ATVYOO]. Namely, in the bit commitment protocol of [ATVYOO], a 
dishonest party can successfully cheat with probability e so that the probability of being 
detected is just O(e^). 

Proof (Theorem 3). Assume that we are given a strategy for dishonest J*. First, notice 
that if we reverse the roles of 1 0) and 1 1) everywhere in this strategy, both the probability 
of passing the test and the probabihty of learning t correctly remain the same. Therefore, 
we can assume that the protocol is symmetric w.r.t. switching |0) and 1 1). 

Consider the state of the first quantum bit sent by 2* . In the general case, X* can 
send probabilistic combinations of various quantum states. Therefore, the first quantum 
bit can be in a mixed state with some density matrix 





a a + /3i 
a — pi b 
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Since the strategy is symmetric w.r.t. switching |0) and p must be also symmetric 
in the same sense, implying that a = h = 1/2 and /3 = 0. Thus, 

1/2 a ■ 
a 1/2 



If I is honest, a = -\/pct(l — Pet)- Theorem 3 follows from the following two lemmas. 

Lemma 1. The probability of I* failing the test if the first quantum bit is chosen for 
verification is at least {\/pct.{l — Pct) — a)\/pct(l — Pet)- 

Lemma 2. The probability of I* learning t correctly if the first bit is used for protocol 
and the second bit used for verification is at most \ + 

We will for a moment assume the validity of these theorems (their proofs are given 
slightly later), and will now continue with the proof of the theorem. 

Let e be the probability with which I* allows to be caught. By Lemma 1, 
WPct{^-Pcx) - Q;)-\/Pct(l - Pct) < £• Therefore, a > ^/pct{^-Pct) 1= ?• 

Y PctK^~Pct) 

By substituting that into Lemma 2, we get i + v2ElZ < 1 + Vi-4p«(i-pc.)+ 8£ ^ . ^ 
honest, the probabiUty that r = tis ^+ ^Pai^ ^a)^ jj^^ extra advantage gained by 
X* is at most Vi-4pc.(i-Pc.)+8e _ < (assuming that p^ > 1/2). 

□ 

Proof (Lemma 1). When the first bit is chosen for verification, I* either claims that 
it is IV'o) or \tpi). By symmetry, the probability of each of those is 1/2. We partition 
p = \po + \pi, with Pi being the part for which I* claims that the state is IV'j). Let 

fa' a' 
= \a' b' 

By symmetry, pi should be the same with |0) and 1 1) reversed: 

fb' a' 
= [a' a' 

Since p= ^po + a' + b' = 1 and a' = a. Therefore, we have 

Po = 

The probability of this state passing verification as \tpo) is 



a a 
a 1 — a' 



=a'pct + (1 - a')(l - Pct) + 2aA/pct(l -Pct) 



<p'i + (1 - pctf + 2av/pct(l-Pct) 

= (Pct + (l -Pct))^ - (V-Pct(l - Pct) - a)VPct(l - Pct) 



=1 - (Vpct(l - Pct) - a)\/Pct(l - Pct) • 

□ 
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Proof (Lemma 2). We assume that the second qubit has been prepared perfectly and its 
verification always succeeds. (If X* cheated in preparing the second qubit as well, this 
only decreases the probabihty of success for 1* and the claim that we prove remains 
valid.) 

After the test is passed on the second qubit, TZ has the first qubit in the mixed 
state p. The mixed state p is the same as one obtained by taking :^|0) + with 

probability 2a and |0), |1) with probabilities | — a each. Therefore, the joint state 
of T* and Tl is equivalent to \'ip(n,i')) = \J\~ "|0)i* \^)n + \J \ - Q:|l)i* |1)7^ + 
\/2a\2)i» + 7f If ^'s secret bit t = 0, he just sends his part back to 

I*. After that, I* possesses the entire state |^cr,i*)). Otherwise, TZ flips the qubit be- 
fore sending back and J* gets |V'(7?,,i.)) = \J\~ + \J\~ Q'il)!* \^)n + 
\/2a|2)i* (:^|0) + ■^\^))n- Now, the question is how weU can I* distinguish these 
two states. By Fact 1, the best probability with which he can get t is ^ + = 

i + ™^ - where (i is the angle between the two states, cos (3 is equal to the inner 
product of |^/'(7?,,i*)) and |V'(ki*)) which is 2a ( because the first two components of 
IV'(7^,i*)) are orthogonal to the first two components of |V'(7^ x*)) compo- 
nent is equal). □ 

Security against Malicious Respondent. 

Theorem 4. Letpa < ^ + = 0.933.... IfX is honest, TZ* cannot achieve t = 0(or 
t = 1) with probability more than Padv < 5 + \/ V ^Pct — ^Pct ~ ('^Pct ~ ^Va)- 

The probability Padv remains less than 1 for all Pct < 0.933.... Thus, our protocol 
offers nontrivial security guarantees for all pct < 0.933.... Since the expression forpadv 
is quite complicated, we also present a simple but less precise bound. Let Pct = | + £• 
Then, padv < | + \f2e. Informally, this means that no can make his vote count 
as more than \f2 votes. This gives a non-trivial bound on padv for Pct < 5 + ir-m = 
0.853.... 

If 0.853... < Pet < 0.933..., then \ -|- \/2e > 1 but Padv < 1 which can be seen by 
evaluating the expression of theorem 4 directly. 

Proof. There are four possible states that a responder can receive from an honest T: 
|^o)|V'o)> |^o)|V'i)' |V'i)IV'o)> I V'l) I V'l) •■'^holiest responder then randomly requests to 
verify one of two quantum bits. A dishonest TZ^ can measure the state and then decide 
to verify one of two bits based on the result of the measurement so that his chances of 
guessing the other state are maximized. Without loss of generality, 7?.*'s measurement 
has two outcomes: and 1 and the index i that is sent back to X is equal to the outcome 
of the measurement. Then, we have 

|V'«oV'«i) = a«o«i|0)|V'(*o«i) +/5«o«i|l)IV'"o«i)' 

where the first qubit is the one being measured and |V-'uo«i) (IV'uoui)) is the rest of the 
quantum state that remains with X after the measurement. By symmetry, we can assume 
that a^QUi ~ Puqui — "^2 ' 
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Similarly to the simplified protocol in Sect. 6, the probability of TZ* fixing r = 
(or r = 1) is equal to the probability that he correctly guesses ui-i. We bound this 
probability. For brevity, assume that TZ* has requested ui from X and received ui = 0. 
Then, if uq = 0, his remaining state is iV'oo) ^"i' if = 1> his remaining state is | V'lo)- 
The probability with which he can guess uq is, by Fact 1 , at most Padv = 5 + ^'2^ where 
/?' is the angle between j-iAoo) '^^'^ IV-'io)- Remember that, by analysis of Sect. 6, the 
probability of r = i in the honest case is described by similar expression p^t = 5 + 
where /3 is the angle between |^o) and 

Next, we express /?' by /?. Remember that denotes the inner product between 

\tp) and \tp'). The inner product {tpo\tpi) is equal to cos /3. The inner product between 

1 V'o) I V'o) and | V)!) IV'o) is the same cos (3 because the second qubit is in the same state in 
both cases. This inner product is also equal to ^(^oolV'io) + 5 (V-'oo IV-'io) - Th^ ^rst part 
is cos P', the second part is at most 1. Therefore, 5 (cos /?' + 1) > cos/3 and cos (3' > 

2 cos /3 - 1. We have sin /?' = ^1 - cos^ /?' < ^4(cos/? - cos2 /3) and Padv < 5 + 
^i^^ — 5 + -\/ cos /? — cos^ /?. Remember that in the honest protocol, the probability 
that r = t is Pct = 5 + Therefore, sin/3 = 2pct - 1, cos /3 = a/I - sin^ p = 
V 4pct — 4p^t and, by substituting this into Padv < 5 + -\/ cos /? — cos^ /3, we get the 
theorem. □ 

To show the padv < 5 + V2e upper bound, it suffices to show y/ cos /? — cos^ /? < 
\/2e. Since e = this follows from 

\/ cos /3 — cos^ P 2-\/cos/3 — cos^/? 2Vcos/3 ^ 2Vcos /3 ^ 
(sin/3)/2 ~ Vl - cos2^ ~ \/l + cos/3 " V2cos/3 " 



